Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to achieve Ubuntu Server security settings". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's ideas to study and learn "how to achieve Ubuntu Server security settings".

I. Overview of users

By default, root users of ubuntu server are not enabled, and general users temporarily gain administrator privileges by prefixing the command with "sudo". You will then be prompted for password, which is the same as the password of the average user. You can also use sudo-I to promote the average user to superuser.

To enable the root account, simply run sudo passwd root, and then enter the password as prompted to activate root. If you want to shut down the root user, simply run sudo passwd-l root.

There is no connection between the password of the Root account and the password of the average user using sudo. The difference between the sudo of a root account and an ordinary account is that after logging in with a root account, the permission is always an administrator, while the sudo of an ordinary account is an administrator right only when a certain command is executed, and will be automatically reduced to an ordinary user right after executing the command.

II. Setting and recovery of user passwords

Use the command sudo passwd user-name, and then follow the prompts for the sudo password, and if the verification passes, you will be prompted for a new password for user-name. This command can also set and recover passwords for root.

III. Security of GRUB

GRUB is used to boot the system and perform system recovery. You can increase its security by adding an operation password to it. The main purpose is to modify "/ boot/grub/menu.lst". Examples are as follows:

Before modification:

The code is as follows:

Default 0

Timeout 10

Title Ubuntu,kernel 2.6.15-26-server-LAMP

Root (hd0,2)

Kernel / boot/vmlinuz-2.6.15-server root=/dev/hda3 ro quiet splash

Initrd / boot/initrd.img-2.6.15-server

Savedefault

Boot

After modification:

The code is as follows:

Default 0

Timeout 10

Password=12345

Title Ubuntu,kernel 2.6.15-26-server-LAMP

Lock

Root (hd0,2)

Kernel / boot/vmlinuz-2.6.15-server root=/dev/hda3 ro quiet splash

Initrd / boot/initrd.img-2.6.15-server

Savedefault

Boot

Then in the reboot system, when the GRUB screen appears, move the cursor to the option, press' pause, and enter the password 12345. In this way, malicious sabotage through recovery mode can be effectively prevented, such as changing the root password.

Because the password of the above method appears in menu.lst in clear text, it is also dangerous, so it can be encrypted. The details are as follows:

Sudo grub-md5-crytp, then enter 12345 twice as prompted (please change it to any character), and then 31 characters appear, recording the string. Modify password=12345 to password-md5 31-bit string, reboot system can.

IV. Use the rescue CD to recover the system

When you forget the GRUB password or for some reason GRUB cannot start, you can use the rescue CD. Put the disc into the CDROM,reboot system and move the cursor to "Resuce broken system" when the startup entry appears. The hardware of the system is then automatically monitored, such as language type, network interface, hard disk, etc. Finally, the command line option appears:

The code is as follows:

Execute a Shell in / dev/discs/disc0/part1

Execute a Shell in the installer environment

Reinstall GRUB boot loader

Choose a different root file system

Reboot the system

Select the first item and then enter bash shell.

Note: the part1 in / dev/discs/disc0/part1 indicates the partition of the system installation to be restored, which should be selected according to the actual situation.

5. Summary

For security reasons:

1 root account should be disable

2 MD5 password should be set for GRUB

3 BIOS should be set to disable booting of the system from CD-ROM.

6. Ensure the security of SSH

SSH is a good way to remotely manage a server. However, there are still many problems in SSH. The communication between the server and the client is secure, but this does not mean that the hosts involved are also secure. Opening a SSH service to the outside world means allowing brute force attacks.

There are some very simple ways to really enhance remote access via SSH, especially if we can't associate this service with a limited number of source ports.

Let's start with one important thing, sshd_config. In Ubuntu, this is usually found in / etc/ssh, which can be used to configure a large number of features. The simplest is often the best. Limiting the number of users who can log in through SSH is a top priority. This can be done in two ways: by user or by group. AllowGroups allows any authenticated user of a group to access the server through SSH. A more subtle approach, however, is to use the AllowUsers option.

Another simple way is to move the listening port from port 22 to some other randomly designated port. This reduces the possibility of displaying SSHD running status scans.

We can also disable access to the root and disable password authentication instead of using key authentication.

The next step is to use a gadget called Denyhosts, which you can download from http://denyhosts.sourceforge.net/. We must make sure that the resources in / etc/apt/source.list are enabled, then type the following command:

The code is as follows:

Sudo apt-get update

Sudo apt-get install denyhosts

DenyHosts is intended to be run by Linux system administrators to help them thwart attempts to attack SSH servers (also known as dictionary-based or brute force attacks).

DenyHosts acts as a dynamic blocker for SSH and other services, relying on / etc/hosts.deny and hosts.allow to work, and can dynamically build a list of hosts that repeatedly connect to our servers. By default, this service blocks IP address sources that are constantly trying to connect to our hosts and implement access. The processing of Denyhosts is configured in / etc/denyhosts.conf.

We can also limit the connection rate of Iptables lines, and we should also deploy firewalls on the server.

Once these arrangements are in place, we will be sure that we have a more secure SSH on a mainframe for the public.

Thank you for reading, the above is the content of "how to achieve Ubuntu Server security settings". After the study of this article, I believe you have a deeper understanding of how to achieve Ubuntu Server security settings, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.